Encryption Strength

Actual encryption strength may vary between different servers

SSL/TLS Certificates provide secure transmission for your website, so it's important to understand how it does so, and what your options are for encryption strength. So let's quickly talk details.

First of all, what is Encryption? Encryption is the process of encoding messages so that only an authorized party can read it. In the context of web encryption, a web server (that hosts a website) is facilitating a connection with a client (a web browser) in which all communication from the browser is essentially scrambled. The reason for this is so that third parties cannot intercept or manipulate that communication. The server, which has the correct key to decrypt (or in this example, unscramble) the communication is the only party that can read the communication.

Make sure that you support the proper SSL/TLS protocol versions…

Factors of Encrpytion Strength

Now, let's talk about encryption strength. There are two main factors contributing to your encryption strength: Your certificate's private key (also referred to as a key pair, or just key) and your server's configuration.

Private Keys

When it comes to your private key, you have two main choices: RSA or ECC (Elliptic Curve). RSA is a system that has been around for decades and is very reliable and widely supported by servers and browsers. When you see "2048-bit keys," that's referring to RSA. If you are not sure what you need, RSA is a safe default choice, and all SSL certificate products support it.

ECC is a newer technology that sits at the cutting edge of encryption strength and speed. If you are chasing the ultimate in performance, ECC is the choice for you. Support for ECC may not be available if you are running an older web server (notably, Windows Server 2003 or older, or a version of Apache earlier than 2.2.26). But on the client side, support should not be a problem, unless you have a large number of users on Windows XP. Not every SSL certificate we sell supports ECC keys, so not every SSL certificate we sell supports ECC keys, so keep that in mind when picking your certificate.

Something to Remember...

The type of SSL certificate you choose has no bearing on the options available during server configuration – the OS your server is running will dictate that. So cipher suites and protocol version are not something you need to worry about when picking a certificate. You will take care of those settings when installing the certificate.

Server Configuration

Your connections will be secure whether you pick an RSA or ECC key. What's more pressing is your server's configuration. Here, we are concerned with the settings for cipher suites and SSL/TLS protocol versions.The cipher suite controls the encryption method that will be used once a secure connection has been established between your server and a client's browser. While there are a lot more options for cipher suites (so many that we won't get into specifics here), you can change the suites you are using at any time by just updating your server's relevant configuration files.

When it comes to cipher suites we are mainly concerned with server capabilities, not the client's browser. Some servers have been a bit slow to add support for the newest and strongest ciphers, but even more troubling is the default configuration of some servers which enable suites that are known to be unsafe.

Final Thought

You want to make sure that you support the proper SSL/TLS protocol versions. SSL and TLS are names for different versions of the same protocol. Just like cipher suites, it's your server's configuration that dictates what protocol version you use, and you won't want to use the older insecure versions (SSL 2.0 and SSL 3.0). Mozilla's SSL Configuration Generator provides presets for most major server OSs and takes care of both settings together.